Securing a VNC Server on Linux with SSH

If you're new to Linux or Unix, you might prefer using a graphical user interface (GUI) over the command-line interface (CLI), and when remotely connecting you can use the remote desktop protocol and GUI-based Virtual Network Computing (VNC).

Some Linux distros come with a VNC server pre-installed and for others you'll probably find plenty of tutorials on how to get started, so we'll skip the basics and share some security tips. As a result, for this tutorial we assume you already have a VNC server installed and running on a Linux/Unix machine.

Securing VNC with SSH

While VNC implements some sort of encryption for the login process, it's not fully secure and the login password could be sniffed and cracked by people on the local network or Internet. Plus the actual VNC sessions aren't encrypted at all.

To fully secure your VNC sessions you can tunnel the traffic through a SSH connection to the server. To do so, you'll first want to set up an SSH server and open the SSH port 22 on the machine you're trying to remotely access. Then on the computer you're remotely connecting from you can set up a port forward in the SSH client.

Here's how you'd configure the port forward when using the PuTTY SSH client:

Enter your host name or IP of the SSH server and select the private key file like normal.

Next, navigate to Connection > SSH > Tunnels.

For the Source Port, enter the port that you want to use when connecting via VNC over SSH on the local machine. You probably want to use "5900" -- the default port used by clients -- which means you don't need to specify a port when connecting via the VNC client.

For the Designation Port, enter "localhost:" and the port for the VNC display/session you want to connect to, which is likely "5901" -- so in this case you'd enter "localhost:5901"

Click the Add button.

If you'd like to save the connection settings, navigate back to the Session settings and click the Save button.

Now you can connect to your server via SSH, and while connected you can open your VNC client and connect to "localhost." Once successful, you may want to consider closing the VNC port (probably 5901) on your Linux machine if you had previously connected directly via the Internet.

Changing the VNC Password

If you'd like to change your VNC server's password in Linux you can use the vncpasswd command, which is the same command that's run by the vncserver script the first time you start a VNC desktop. This command will change and/or store an obscured version of the password to the password file by default at HOME/.vnc/passwd.

Since it's not securely encrypted, keep in mind that anyone with access to the password file could convert it to plain text and reveal the password.

When you're ready to change the password, enter the following command in the Terminal, either on the machine directly or remotely using a SSH client like PuTTY:

vncpasswd

You'll be prompted twice to enter the new password, which should be between six and eight characters long. Then restart the VNC server by killing the VNC session/display:

vncserver -kill :1

Then you can start the VNC session or display again by entering:

vncserver

Eric Geier is a freelance tech writer. He's also the founder of NoWiresSecurity, which provides a cloud-based Wi-Fi security service for businesses, and On Spot Techs, which provides on-site computer services.